oss-sec mailing list archives
Re: PoC: Function Pointer Protection in C Programs
From: "Stephen Röttger" <stephen.roettger () gmail com>
Date: Thu, 22 Aug 2013 12:07:01 +0200
After bit of thought a loops with callback can be optimized by gcc.
It could be possible to teach CSE to rewrite
while(foo){
check(p);
(*p)(x,y,z);
}
into
check(p);
while(foo){
(*p)(x,y,z);
}
This might introduce security issues, if an attacker is able to overwrite p during the execution of the loop. For example if p is part of a dynamically allocated struct that has already been freed and an attacker can reallocate the memory after the first execution of the loop body, he would be able to bypass the check. On the other hand, if p is stored on the stack, vulnerabilities allowing to overwrite it, would likely also allow to overwrite saved return addresses.
Current thread:
- PoC: Function Pointer Protection in C Programs Stephen Röttger (Aug 21)
- Re: PoC: Function Pointer Protection in C Programs Alessandro Cresto Miseroglio (Aug 21)
- Re: PoC: Function Pointer Protection in C Programs Ondřej Bílka (Aug 21)
- Re: PoC: Function Pointer Protection in C Programs Stephen Röttger (Aug 21)
- Re: PoC: Function Pointer Protection in C Programs Ondřej Bílka (Aug 22)
- Re: PoC: Function Pointer Protection in C Programs Stephen Röttger (Aug 22)
- Re: PoC: Function Pointer Protection in C Programs Stephen Röttger (Aug 21)
- Re: PoC: Function Pointer Protection in C Programs Hannes Frederic Sowa (Aug 21)
- Re: PoC: Function Pointer Protection in C Programs Stephen Röttger (Aug 22)
- <Possible follow-ups>
- Re: PoC: Function Pointer Protection in C Programs Alessandro Cresto Miseroglio (Aug 21)
- Re: PoC: Function Pointer Protection in C Programs Stephen Röttger (Aug 21)
- Re: PoC: Function Pointer Protection in C Programs Alessandro Cresto Miseroglio (Aug 21)
- Re: PoC: Function Pointer Protection in C Programs Stephen Röttger (Aug 21)